Home > Linux > Basic iptables configuration

Basic iptables configuration

January 20th, 2010 Leave a comment Go to comments

Here is a small basic example allowing you to setup your iptables.

First we reset everything. See the man page for exact details on the parameters we use.

iptables -F
iptables -Z
iptables -X

Create some chains that will provide us with some logging.

iptables -N logdrop
iptables -N logreject
iptables -N logaccept

Add some rules to these chains.

iptables -A logdrop -j LOG --log-prefix 'DROP: ' --log-level warning
iptables -A logdrop -j DROP
iptables -A logreject -j LOG --log-prefix 'REJECT: ' --log-level warning
iptables -A logreject -j REJECT
iptables -A logaccept -j LOG --log-prefix 'ACCEPT: ' --log-level warning
iptables -A logaccept -j ACCEPT

Now you have a basic setup with some logging.
The next step will be to apply your rules and jump to the corresponding chain on a positive match.
You could set the default policies for the INPUT, FORWARD and OUTPUT chains to ACCEPT and add a jump to logdrop at the end of each chain so that any non-matching rules will be automatically dropped.

Small example:

# Accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Accept traffic from established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept new SSH connections
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j logaccept -m comment --comment "Allow SSH"
# Accept new SSL connections
iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j logaccept -m comment --comment "Allow SSL"
# Accept new HTTP connections
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j logaccept -m comment --comment "Allow HTTP"
# Drop and log everything else incoming
iptables -A INPUT -j logdrop
 
iptables -A FORWARD -j logreject

You could then add a small piece of configuration to rsyslog to split these files out into separate log files: /etc/rsyslog.d/iptables.conf

:msg,contains,"ACCEPT: " /var/log/iptables-accept.log
:msg,contains,"REJECT: " /var/log/iptables-reject.log
:msg,contains,"DROP: " /var/log/iptables-drop.log
Categories: Linux Tags:
  1. May 17th, 2010 at 09:35 | #1

    Good article, thanks!

  1. No trackbacks yet.

Time limit is exhausted. Please reload CAPTCHA.